Sunday, March 31, 2013

Web applications are so very convenient. But there’s always a rub.
When you move your life onto the web, you lose control of your data.
And — who knows? — your web app of choice may even vanish from the face
of the Earth while you’re still using it. Think Google Reader.
The growing Indie Web Movement
hopes to alleviate these problems, working to give web users more
control over their online data and identity. The latest example is an
open source software tool called Huginn.
Huginn works a lot like popular web services such as IFTTT (“If This, Then That”), Zapier, and Yahoo Pipes.
It’s a platform for running web bots — called “agents” — that can
gather information from across the net and ping you when certain things
happen.
The difference is that it’s open source software that runs on your
own server. That means you control the data it collects and creates.
Huginn can notify you when your favorite sites are updated, aggregate
your location check-ins over time, or warn you the day before it’s
supposed to snow. But the most interesting tool may be the one that
monitors keywords on Twitter and notifies you when everyone starts
talking about stuff you’re interested in.
But that’s just the beginning. Developers can build more “agents” for
the platform. The software is named after the ravens of Norse
mythology, Huginn and Muninn, who travel the world collecting
information for the god Odin.
But the point, says Andrew Cantino, the creator of Huginn, is that
it’s not Pipes or IFTTT. “Pipes isn’t really being maintained,” says
Andrew Cantino, the creator of Huginn. “If This Then That seems to be
doing well, but I don’t really know if it’s going to stick around.
Ultimately, I don’t control the data.”
Cantino says he created the software for his own use, and he almost
didn’t open source Huginn. But he’s glad it did. The response has been
enormous. It garnered over 1,200 stars on it first day on the
source-code-hosting-site GitHub.
Cantino doesn’t have any plans to turn Huginn into a business as of
yet. Before seeing the response to the application, he wasn’t even
considering the idea. He works for the web-based project management
software company Mavenlink, which doesn’t leave him with a lot of time on his hands.
“If I did turn it into a business, I would have to be very careful
about how I did it. People need to own their data,” he says. He’s
reluctant to create a hosted version of the application, saying some of
the tools — such as site scraping — could be easily abused. But if he
did, he would make it possible for users to export their data.
In the meantime, he wants to make it easier for users to get started
hosting their own version of the software. He says that once it’s
deployed, Huginn is pretty easy to use. Unless you wan to create custom
agents, you don’t need to do any programming. But it would be hard for a
non-program to set the application up to begin with. He says developers
on GitHub are already working on a version that is easy to deploy to
Amazon EC2 or Heroku.
He also hopes to see the number of agents grow. He thinks some sort
of directory of agents will prove useful, and perhaps a marketplace for
people to sell agents they’ve built will make sense.
Nothing is perfect. The sites that Huginn monitors can change or
disappear. But it does give users a permanent repository for the data it
collects. It’s a welcome addition to other indie web projects like decentralized wiki inspired by GitHub and created by Ward Cunningham — the creator of the original wiki — and ThinkUp, a tool that lets users backup and analyze everything they post to social media sites.

A lot of sniffers, rootkits, botnets, backdoor shells and malwares
are still on the wild today, which are used by malicious attackers after
successfully pawning a certain server or any live network
in order to maintain their access, elevate their access privilege, and
spy other users in a network. In order to protect our network or server
from such intrusions and further damage, there are free and open source
detection tools that can be deployed and used as part of our security
strategy. They are mandatory when our server or network is up and
running, especially if a certain user is downloading a file which could
possibly be malicious or harmful.
The advantage of using free and open source detection tools is that
you obviously don’t need to pay a single penny and that tutorials are
very easy to get and understand because manuals are included which are
usually named as README so be sure to RTFM (Read the F****** Manual).
Here are some tools which could be of use to you guys

Chkrootkit

Chkrootkit or Check Rootkit is a common open source program or tool
used for scanning rootkits, botnets, malwares, etc. in your Unix/Linux
server or system. It is fully tested on: Linux 2.0.x, 2.2.x, 2.4.x,
2.6.x, and 3.x.x, FreeBSD 2.2.x, 3.x, 4.x, 5.x and 7.x, OpenBSD 2.x, 3.x
and 4.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11,
Tru64, BSDI and Mac OS X. This tool is pre-installed in BackTrack 5
under Anti-Virus Forensic Tools.
To install chkrootkit on a Ubuntu or Debian based distro, you can just type :

sudoapt-get install chkrootkit.

To start checking for possible rootkits and backdoors in your system, type the command:

sudo chkrootkit.

Here are other options you can use after issuing the command sudo chkrootkit -h:

Rootkit Hunter

Rootkit hunter or rkhunter is an Open Source General Public License
(GPL) Rootkit Scanner similar to chkrootkit which is also pre-installed
in BackTrack 5 under Anti-Virus Forensic Tools. This tool scans for
rootkits, backdoors and local exploits by running tests like: MD5 hash
compare, look for default files used by rootkits, wrong file permissions
for binaries, look for suspected strings in LKM and KLD modules, look
for hidden files, and optional scan within plaintext and binary files.
To install rkhunter on a Ubuntu or Debian based distro, you can just type :sudo apt-get install rkhunter.

To start the scanning in your file system, type the command:sudo rkhunter –check.

And if you want check for updates, issue the command:sudo rkhunter –update.
After rkhunter has finished scanning your file system, all the results are logged at /var/log/rkhunter.log.

Here are other useful options for rkhunter as shown in the -h flag: –append-log Append to the logfile, do not overwrite

–syslog [facility.priority] Log the check start and finish times to syslog

–tmpdir Use the specified temporary directory

–unlock Unlock (remove) the lock file

–vl, –verbose-logging Use verbose logging (on by default)

-V, –version Display the version number, then exit

–versioncheck Check for latest version of program

-x, –autox Automatically detect if X is in use

-X, –no-autox Do not automatically detect if X is in use

ClamAV

ClamAV is a known open source anti-virus software in Linux. It is the
most famous Linux anti-virus which has a GUI version now designed for
detecting Trojans, viruses, malware and other malicious threats easier.
ClamAV can also be installed in Windows, BSD, Solaris and even in
MacOSX. Fellow security researcher Dejan Lukan has a detailed tutorial here in InfoSec Institute Resources page on how to install ClamAV and how to work with its command line interface.BotHunter

BotHunter is a network-based botnet diagnosis system which tracks
the two-way communication flows between your personal computer and the
Internet. It is developed and maintained by the Computer Science Laboratory,
SRI International and available for Linux and Unix but now they have
released a Private Test Release and a Pre-Release for Windows.
You can download this software here. You could also check its addon which is called BotHunter2Web.pl. This addon converts
BotHunter infection profiles into web pages, which can be viewed
through your browser directly or via private webserver. BotHunter
infection profiles are typically located in
~cta-bh/BotHunter/LIVEPIPE/botHunterResults.txt.

avast! Linux Home Edition is an anti-virus engine offered free of
charge but only for home and not for commercial use. It includes a
command line scanner and based on my experience it detects some of the
Perl IRC bots I have been collecting like w3tw0rk’s modified IRC
(Internet Relay Chat) bot (originally made by Pitbul) that contains
malicious functions like udpflood & tcpflood functions and allows
its master or bot controller to execute arbitrary commands with the use
of the system() function for Perl.
You can download this antivirus software here.NeoPI

NeoPI is a Python script which is useful for detecting obfuscated and encrypted content within text or script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The
development focus of NeoPI was creating a tool that could be used in
conjunction with other established detection methods such as Linux
Malware Detect or traditional signature or keyword based searches. It
is a cross platform script for Windows and Linux. Not only does it aid
users to detect possible backdoor shells but also malicious scripts like
IRC botnets, udpflood shells, vulnerable scripts, and other malicious
stuffs.
To use this Python script, just checkout the code in its official github site and navigate through its directory:git clone https://github.com/Neohapsis/NeoPI.git

cd NeoPI

Then we use the -h flag to see the options for running the script:shipcode@projectX:/opt/NeoPI$ sudo ./neopi.py -h

Based on the options above, if we want to run all tests like Entropy, Longest Word, IC, Signature and run auto file extension tests in the /var/www directory, we can just issue the command:sudo ./neopi.py -a -A /var/www

If you want to generate a CSV outfile for future references, we can use the command:sudo ./neopi.py -C outfile.csv -a -A /var/www
Two security researchers (Scott Behrens and Ben Hagen) here in
InfoSec Institute and the original developers of the NeoPI project have
also written a detailed tutorial entitled ‘Web Shell Detection Using NeoPI‘ which explains Entropy, Longest Word, IC, Signature and other useful tests.Ourmon

Ourmon is a Unix-based open source program and a common network
packet sniffing tool in FreeBSD but it can also be used for detecting
botnets as explained by Ashis Dash in his article entitled ‘Botnet detection tool: Ourmon‘ in Clubhack Magazine or Chmag.Grep

And the last but not the least, we have the grep command which is a
powerful command-line tool in Unix and Linux. It is used for searching
and probing data sets for lines that matches a regular expression. As a
short history, this utility was coded by Ken Thompson on March 3, 1973
for Unix. Nowadays, Grep is known for detecting and searching for pesky
backdoor shells and malicious scripts too.
Grep can also be used for detecting vulnerable scripts (e.g the PHP
function shell_exec which is a risky PHP function that allows remote
code execution or command execution). We can use the grep command to
search for the shell_exec () function as our advantage in our /var/www directory to check for possible PHP files that are vulnerable to RCE or command injection. Here is the command:grep -Rn “shell_exec *( ” /var/www
Backdoor shells commonly use the shell_exec function for executing
arbitrary commands. Aaside from shell_exec function, most PHP backdoor
shells also use functions like base64_decode, eval, phpinfo, system,
php_uname, chmod, fopen, fclose, readfile, edoced_46esab, and passthru.
Thus you could also easily grep these functions:grep -Rn “shell_exec *(” /var/www

grep -Rn “base64_decode *(” /var/www

grep -Rn “phpinfo *(” /var/www

grep -Rn “system *(” /var/www

grep -Rn “php_uname *(” /var/www

grep -Rn “chmod *(” /var/www

grep -Rn “fopen *(” /var/www

grep -Rn “fclose *(” /var/www

grep -Rn “readfile *(” /var/www

grep -Rn “edoced_46esab *(” /var/www

grep -Rn “eval *(” /var/www

grep -Rn “passthru *(” /var/www
In my recent researches, most Perl IRC botnets use common Perl
functions like shell, system, and tcp so we can actually grep these
functions just like hunting or detecting PHP backdoor shells. Thus, if
we want to scan our /var/www directory again then we could just issue
the commands below:grep -Rn “shell *(” /var/www

grep -Rn “tcp *(” /var/www

grep -Rn “system *(” /var/www
Grep is such a good tool for manual detection and forensic analysis .References:

Hackers seem to be successfully attacking almost everyone
these days. Already this year, the news has included high-profile
cyberattacks targeting Facebook, Microsoft, Apple, Chase, Evernote, The Federal Reserve, Twitter, The Wall Street Journal, Bloomberg, Reuters, The New York Times and other companies.
While no security software can provide complete protection from every
cyberattack, the open source community has developed a variety of tools
that home users, small businesses and enterprises can use to improve
their security profile. Many of these open source projects are of a very
high quality—in fact, many have won awards and some have been
incorporated into commercial applications.
Below and on the following pages, we've collected some of the best of
these open source security applications and listed them with similar
commercial software to provide a general idea of their capabilities. We
update this list about once a year. For 2013, we extended it
significantly, as well as updating information on tools we've already
covered and eliminating some of the tools that are no longer regularly
patched.
As always, if you know of additional open source security tools that
you think should be on our list, please note them in the comments
section below.

Anti-Malware

1. ClamAV
Replaces VirusScan Enterprise for Linux
Known as "the de facto standard for mail gateway scanning," ClamAV is
one of the most popular open source security applications available.
The core open source product has been packaged into numerous other
products, including Immunet
a cloud-based version for Windows PCs. Note that the standard version
of ClamAV offers on-demand scanning only and does not scan your system
or incoming content in real-time. Operating System: Linux, but
front-ends and additional versions are available for other OSes.
2. ClamTk
Replaces VirusScan Enterprise for Linux
One of the many front-ends for ClamAV, ClamTk offers an easy-to-use
graphic interface. It's won several awards and is available in numerous
languages. Operating System: Linux.
3. ClamWin Free Antivirus
Replaces Kaspersky Anti-Virus, McAfee AntiVirus Plus, Norton Anti-Virus
More than 600,000 Windows users run this anti-virus software on their
systems. It offers an easy installer, and it integrates with Windows
Explorer and Outlook. As you might guess from the name, it is also based
on ClamAV. Operating System: Windows.

Backup

4. Amanda
Replaces Simpana Backup and Recovery , NetVault, HP StorageWorks EBS
It's website proclaims that Amanda is "the most popular open source
backup and recovery software in the world." It can back up multiple
networked systems to a single tape- or disk-based storage system, and
it's very easy to set up. It comes in a free community version, a paid
enterprise version or as a paid appliance. Operating System: Windows,
Linux, OS X.
5. Areca Backup
Replaces NovaBackup
If you only need to back up a single system, Areca offers an
easy-to-use interface that balances simplicity with flexibility.
Noteworthy features include compression, AES128 and AES256 encryption,
filters and support for incremental, differential, delta and full
backups. Operating System: Windows, Linux.
6. Bacula
Replaces Simpana Backup and Recovery , NetVault, HP StorageWorks EBS
This popular network backup solution was designed for enterprise
users. Those who need commercial support and services can get it through
Bacula Systems. Operating System: Windows, Linux, OS X.
7. Clonezilla
Replaces Norton Ghost
This disk imaging and cloning tool comes in two separate editions.
Clonezilla Live does backup and bare metal recovery for a single system.
Clonezilla SE allows administrators to clone or multi-cast disk images
for forty systems or more at the same time. Operating System: Windows,
Linux, OS X.
8. FOG
Replaces Norton Ghost
Another cloning tool, FOG boasts easy use, centralized
administration, powerful capabilities and scalability that can support
networks with 2 to 20,000 systems. In addition to disk imaging, it also
offers virus scanning, memory testing, disk wiping, testdisk, and file
recovery features. Operating System: Windows, Linux.
9. Partimage
Replaces Norton Ghost, NovaBackup, McAfee Online Backup, Carbonite.com
This backup solution creates an image of a partition or your entire
system, copying only the used portions to save time and space. It can be
used for backup or to copy an image onto many systems. Operating
System: Linux.
10. Redo
Replaces Norton Ghost, NovaBackup, McAfee Online Backup, Carbonite.com
Downloaded more than 750,000 times, Redo claims to be "easiest, most
complete disaster recovery solution available." It runs from a live CD,
so no installation is necessary. It's so fast and easy to use that even
if you erase your entire hard drive, it can get you back up and running
in just ten minutes. Operating System: Linux.

Browser Add-Ons

14. Web of Trust (WOT)
Replaces McAfee SiteAdvisor Plus
According to the counter on its home page, WOT has been downloaded
more than 68 million times. It displays a green, yellow or red "traffic
light" for websites to let you know whether the site has a trusted
reputation or not. It works with all major browsers, including Firefox,
IE, Chrome, Safari and Opera. Operating System: Windows, Linux, OS X.
15. PasswordMaker
Replaces Kaspersky Password Manager, Roboform
Don't keep using the same password over and over! PasswordMaker
creates unique passwords for each service you use. All you have to
remember is one master password and this add-on does the rest for you.
Operating System: Windows, Linux, OS X.

Data Destruction

16. BleachBit
Replaces Easy System Cleaner
BleachBit combines multiple security and privacy functions into a
single utility. It cleans out "junk," like cookies and temporary files,
and it protects your privacy by erasing your history and deleting log
files. It also includes a file "shredder" to help you completely
eliminate all traces of unwanted files. Operating System: Windows,
Linux.
17. Eraser
Replaces BCWipe Enterprise
Like other data "shredding" tools, Eraser completely eliminates all
traces of a file from your drive by overwriting it several times with
random data. The Eraser website suggests you might like to use it to
make sure no one can recover your "passwords, personal information,
classified documents from work, financial records, [or] self-written
poems." Operating System: Windows.
18. Wipe
Replaces BCWipe Enterprise
If you're on Linux, you won't be able to use Eraser, but you will be
able to run Wipe, which offers much the same functionality. The site
also offers a little more technical detail about how secure deletion
works. Operating System: Linux.
19.Darik's Boot and Nuke
Replaces Kill Disk, BCWipe Total WipeOut
If you need to delete an entire drive, DBAN does the job. It's a
great tool to use if you plan to donate or dispose of an old system and
don't want people to be able to access your records from the hard drive.
Operating System: OS Independent.

Email Security/Filtering

22. Scrollout F1
Replaces Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway
Extremely popular, Scrollout F1 incorporates anti-spam, anti-virus
and data loss protection capabilities into a free gateway security
solution. It works with all mail servers, including Microsoft Exchange,
Lotus Domino, Postfix, Exim, Qmail and others. Operating System:
Windows, Linux.
23. ASSP
Replaces Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway
This anti-spam proxy filter claims "When it comes to killing SPAM
nothing is as deadly as an ASSP!" Key features include easy
browser-based setup, support for most SMTP servers, automatic
whitelisting for people you e-mail, early sender validation, virus
filtering (based on ClamAV) and more. Operating System: OS Independent.
24. MailScanner
Replaces Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway
This spam blocker boasts that it has been downloaded more than 1.4
million times (approximately 30,000 times per month) and is currently
used in more than 225 countries. It includes both anti-virus and
anti-spam capabilities, and it is included in many Linux distributions.
Operating System: OS Independent.
25. SpamAssassin
Replaces Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway
An Apache project, this self-proclaimed "powerful #1 open-source spam
filter" has received numerous awards. It utilizes many different local
and network tests to identify spam signatures, and it's easy to add
additional rules if you choose. Operating System: primarily Linux and OS
X, although Windows versions are available.
26. SpamBayes
Replaces Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway
This spam filter uses mathematical algorithms and your previous
behavior to determine the probability that messages are spam or "ham,"
and then it sorts them into the appropriate folders. It comes in
multiple versions, including an Outlook plug-in. Operating System: OS
Independent.
27. P3Scan
Replaces VirusScan Enterprise for Linux
This transparent proxy filter scans e-mail and attachments for spam,
viruses, worm, Trojans and other malicious code. You can use it alone or
alongside other anti-malware or anti-spam applications. Operating
System: Linux.

Encryption

28. AxCrypt
Replaces Symantec Encryption, Folder Lock, SensiGuard, CryptoForge
More than 2.7 million users have downloaded and registered this open
source encryption solution. It integrates into the Windows Explorer
(right-click to encrypt, double-click to decrypt) and also supports
cloud storage services like DropBox, Live Mesh, SkyDrive and Box.net.
Operating System: Windows.
29. Gnu Privacy Guard
Replaces Symantec Email Gateway Solution (PGP)
Gnu's email encryption solution supports multiple encryption
algorithms and offers good key management features. It's a command-line
tool for Linux only, but other projects have created front ends and
ported it to other operating systems. Operating System: Linux.
30. GPGTools
Replaces Symantec Email Gateway Solution (PGP)
If you're on a Mac, you might want to try this version of GPG. But
note that the Mountain Lion version is still in preview stage. Operating
System: OS X.
31. gpg4win
Replaces Symantec Email Gateway Solution (PGP)
As the name suggests, this project brings Gnu Privacy Guard to
Windows. It encrypts both files and mail messages, and it features an
easy-to-use interface. Operating System: Windows.
32. PeaZip
Replaces WinZip
This compression and archiving tool also offers encryption and secure
deletion capabilities. It supports more than 150 file formats and
multiple encryption capabilities, plus it comes in 64-bit and portable
versions. Operating System: Windows, Linux.
33. Crypt
Replaces Symantec Encryption, Folder Lock, SensiGuard, CryptoForge
Speed is Crypt's claim to fame. This command-line encryption utility
takes up only 44MB of space, and it can encrypt 30 files (3MB total) in
just 0.7 seconds. Operating System: Windows.
34. NeoCrypt
Replaces Symantec Encryption, Folder Lock, SensiGuard, CryptoForge
NeoCrypt boasts an intuitive interface and "fast, reliable and
unbreakable encryption." Features include support for ten encryption
algorithms, Windows Explorer integration, batch operations and more.
Operating System: Windows.
35. LUKS/cryptsetup
Replaces Symantec Drive Encryption
Linux Unified Key Setup, or LUKS, claims to be "the standard for
Linux hard disk encryption." It encrypts an entire drive or partition at
once and supports multiple passwords for multiple users. Operating
System: Linux.
36. FreeOTFE
Replaces Symantec Drive Encryption
Short for "Free On The Fly Encryption," FreeOTFE creates an encrypted
virtual disk on your system. It supports multiple hash techniques and
encryption algorithms, and it can run from a USB thumb drive. Operating
System: Windows.
37.TrueCrypt
Replaces Symantec Drive Encryption
This very popular disk encryption utility has been downloaded more
than 26 million times. It offers fast performance, thanks to
parallelization and pipelining, and it supports hardware acceleration on
modern processors. Operating System: Windows.

Intrusion Detection

43. Open Source Tripwire
Replaces Tripwire
Tripwire is one of the leading commercial intrusion detection
solutions. Over a decade ago, the company briefly released its flagship
product under an open source license, and development has continued on
that project independent from commercial Tripwire. Both products help to
identify when hackers have broken into networks by monitoring for
changes in your file system. Operating System: Windows, Linux.
44. AFICK
Replaces Tripwire
Another File Integrity Checker, or AFICK for short, works very
similarly to Tripwire. It's very fast and runs from the command line or
the included graphical interface. Operating System: Windows, Linux.

Network Firewalls

45. IPCop
Replaces Barricuda NG Firewall, Check Point Appliances
Most of the open source network firewall projects, including IPCop,
make it possible to create your own Linux-based firewall appliance from
standard PC hardware. This project has a fairly intuitive Web-based
interface and is a good option for small business owners or others with
small networks. Operating System: Linux.
46. Devil-Linux
Replaces Barricuda NG Firewall, Check Point Appliances
More full-featured than many open source network firewalls,
Devil-Linux can function as an application server as well as a
firewall/router. It can also run from a CD or a USB thumb drive.
Operating System: Linux.
47. IPFire
Replaces Barricuda NG Firewall, Check Point Appliances
Designed to meet the needs of everyone from home users all the way up
to large enterprises, IPFire boasts excellent flexibility and regular
security updates. A number of add-ons and commercial support are
avaialable. Operating System: Linux.
48. Turtle Firewall
Replaces Barricuda NG Firewall, Check Point Appliances
Turtle boasts simple, fast configuration of an iptables-based
firewall. It's a good option for fairly technical users, but might be
overwhelming for those with less networking knowledge. Operating System:
Linux.
49. Shorewall
Replaces Barricuda NG Firewall, Check Point Appliances
Also known as "Shoreline Firewall," Shorewall aims to be "the most
flexible and powerful" of the Linux-based firewall options. You can set
it to act as a simple network firewall, as a multi-function
gateway/server/router or to protect an individual system. Operating
System: Linux.
50. Vuurmuur
Replaces Barricuda NG Firewall, Check Point Appliances
This iptables-based firewall boasts "powerful monitoring features"
that allow real-time tracking of logs, connections and bandwidth. Other
features include traffic shaping, an easy-to-use GUI, IPv6 support,
anti-spoofing capabilities and more. Operating System: Linux.
51. m0n0wall
Replaces Barricuda NG Firewall, Check Point Appliances
Unlike most of the other projects on our list, m0n0wall is based on
FreeBSD, not Linux. It can be used with embedded systems from PC Engines
or Soekris Engineering, as well as with standard x86 PCs. Operating
System: FreeBSD.
52. pfSense
Replaces Barricuda NG Firewall, Check Point Appliances
Another BSD-based option, pfSense is a very popular fork of m0n0wall
that has been downloaded millions of times. It claims to offer "most all
the features in expensive commercial firewalls, and more in many
cases." Commercial support is available. Operating System: FreeBSD.
53. Vyatta Network OS
Replaces Cisco products
Vyatta offers software-based networking capabilities, including
enterprise-class routing, firewall and VPN features. In addition to the
free open source version, it also offers paid enterprise versions of the
software, which add more capabilities. Operating System: Linux.

Network Monitoring

54. Wireshark
Replaces OmniPeek, CommView
Wireshark boldly proclaims itself the "world's foremost network
protocol analyzer," and it's a very mature product with loads of
documentation and help available. It performs deep inspection of
hundreds of protocols, live capture, offline analysis and many other
features. Commercial support and services are available through Riverbed Technology. Operating System: Windows, Linux, OS X.
55. tcpdump/libpcap
Replaces OmniPeek, CommView
Together, these two command-line tools offer a complete network
analysis and monitoring solution: tcpdump does packet analysis, while
libpcap does traffic capture. Many of the developers behind Wireshark
are also involved with these projects. Operating System: Linux.
56. WinDump/WinPcap
Replaces OmniPeek, CommView
These two projects port tcpdump and libpcap to Windows. And, like
Wireshark, they are also associated with Riverbed Technology. Operating
System: Windows.

Operating Systems

57. BackTrack Linux
Replaces Windows
Built for penetration testing, BackTrack helps simplify the process
of testing and hardening your networks, whether you're a relative
newcomer to the field or a seasoned professional. It includes a huge
library of penetration testing and security tools, and it can be
installed on a system or run from a Live DVD or USB thumb drive.
58. EnGarde Secure Linux
Replaces Windows
Engarde claims to be "the first truly secure, open source Internet
operating platform." It includes SELinux capabilities, plus intrusion
detection, content filtering and other security features.
59. Liberté Linux
Replaces Windows
Based on Gentoo Linux, Liberté runs from a USB thumb drive, securing
your system and encrypting your messages. The project website says,
"Whether you are a privacy advocate, a dissident, or a sleeper agent,
you are equally likely to find Liberté Linux useful as a
mission-critical communication aid."

60. LPS
Replaces Windows
Created by the U.S. Air Force, the Lightweight Portable Security, or
LPS, Linux distribution can turn any PC or Mac into a secure
communication node. It runs from a CD or USB thumb drive and removes all
traces of your activity when you shut it down.
61. NetSecl
Replaces Windows
A variation of OpenSuse, NetSecl, like BackTrack, was built for use in penetration testing situations.
62. SELinux
Replaces Windows
It's not a full operating system, but the SELinux projects has added
access control capabilities to the Linux kernel. These features are
incorporated into many other Linux distributions, including many of the
most popular, like Red Hat and Fedora.
63. Tails
Replaces Windows
Another privacy-focused Linux distribution, Tails is short for "The
Amnesic Incognito Live System." Like Whonix, it leverages Tor and
Debian, and it uses encryption tools to protect your files and
communications. It runs from a live DVD or USB drive so that you can
protect yourself no matter what system you're on.
64. Whonix
Replaces Windows
Based on Virtual Box, Debian GNU/Linux and Tor, Whonix is designed to
be a fully anonymous operating system that offers exceptional security
and privacy protection. It claims to make IP and DNS leaks impossible.

Password Crackers

65. Ophcrack
Replaces Access Data Password Recovery Toolkit, Passware
Every network admin needs a password cracker in his or her arsenal
for those times when passwords aren't recoverable any other way.
Developed by the people who invented rainbow tables, Ophcrack can use
that method or brute force to find unknown passwords. Operating System:
Windows, Linux.
66. John the Ripper
Replaces Access Data Password Recovery Toolkit, Passware
John the Ripper is a fast password cracker that relies lists of
common passwords in various languages. In addition to the official
community version, it also comes in a community-enhanced version, which
supports many more ciphers and hashing techniques, or a pro version,
which is customized for various OSes and is easier to install and use.
Operating System: Windows, Linux, OS X.
67. PDFCrack
Replaces Access Data Password Recovery Toolkit, Passware
As you might guess from the name, this cracker specifically focuses
on retrieving passwords and content from PDF files. It runs from the
command line and uses both brute force and list-based cracking
techniques. Operating System: Linux, Unix.

Password Management

68. KeePass Password Safe
Replaces Kaspersky Password Manager, RoboForm
Using the same password over and over is asking for trouble. Instead,
try KeePass. It generates strong passwords for you and stores all your
passwords in an encrypted database, so all you have to remember is one
master password. Operating System: Windows.
69. KeePassX
Replaces Kaspersky Password Manager, RoboForm
Originally developed as a Linux fork of KeePass, this password safe
is very similar to the KeePass. It now supports OS X and some versions
of Windows, as well as Linux. Operating System: Windows, Linux, OS X.
70. Password Safe
Replaces Kaspersky Password Manager, RoboForm
This app boasts over a million downloads and very fast installation.
Like KeePass, it remembers your passwords for you and keeps them secure
in an encrypted database. Operating System: Windows.

Secure File Transfer

71. WinSCP
Replaces CuteFTP, FTP Commander
This award-winning utility supports SFTP, FTPS and SCP protocols for
secure file transfer, as well as regular FTP when security isn't
required. It includes two different styles of graphic interface, or it
can run from the command line. Operating System: Windows.
72. FileZilla
Replaces CuteFTP, FTP Commander
Like WinSCP, FileZilla supports all the standard file transfer
protocols. In addition to the multi-platform client version, it also
comes in a Windows-only server version. Operating System: Windows,
Linux, OS X.

Spyware Blocker

73. Nixory
Replaces SpyBot Search and Destroy, AdAware
Whether you use Firefox, Chrome or Internet Explorer, Nixory erases
malicious tracking cookies from your browser. Note that you'll need to
use it alongside other security software because it only erases tracking
cookies and doesn't block viruses or other types of malware. Operating
System: OS Independent.

User Authentication

74. WiKID
Replaces Entrust IdentityGuard, Vasco Digipass, RSA's SecurID
WiKID offers simple, software-based two-factor authentication
solutions for enterprises. In addition to the free community version, it
also comes in a paid enterprise version that includes some proprietary
code. Operating System: OS Independent.

Web Filtering

75. DansGuardian
Replaces McAfee Family ProtectionNetNanny
This network content filtering tool uses phrase matching, PICS
filtering and URL filtering to help block objectionable content.
Recently, a new maintainer took over this project, so it is once again
getting patches and updates. Operating System: Linux, OS X.

Internet Protocol version 6 (IPv6) is the next generation networking
protocol that is slated to replace Internet Protocol version 4 (IPv4) as
the dominant protocol powering modern computer networks and the global
Internet.
The problem with IPv4 is that it was developed and initially rolled
out in the 1970s and 80s, long before anyone had any idea of what the
Internet would become (IPv4 is defined in RFC 791,
published in 1981). Simply put, the ability for IPv4 to support modern
Internet traffic is decreasing steadily. The Internet Engineering Task
Force (IETF) recognized the potential for a crisis and commenced work on IPv4′s replacement in the mid-1990s.
The rest of this article will assume that you know why the Internet needs to evolve from IPv4 to IPv6. If you do not understand this, please stop reading and view this Youtube video of Vinton Cerf explaining the rationale behind the protocol migration (Cerf is considered one of the “fathers of the Internet”).
The death of IPv4 as a relevant networking protocol was delayed
considerably by the deployment of two addressing-related solutions:
Network Address Translation (NAT) and Classless InterDomain Routing (CIDR).
However, given the current and projected growth in human population and
the ever expanding quantity of devices connecting to the Internet, IPv6
is required to accommodate and sustain the necessary expansion of
Internet availability and services. For example, two well-known
technology growth sectors, mobile devices (e.g., smartphones) and
cloud-based computing, require public IPv4 connectivity to function and
therefore, they are contributing to the exhaustion of the public IPv4
address space (even with NAT relieving some pressure).

Despite their differences in age, IPv4 and IPv6 do share some
characteristics. Both protocols were designed to allow for host
identification, host discovery, and optimal routing. They both work at
Layer 3 of the OSI networking model and at the internet layer of the TCP/IP networking model.
In order for hosts to properly communicate using IPv4 or IPv6, they
must be assigned a unique IP address. IPv6 hosts need the same
information as IPv4 hosts to properly network, e.g., they need to know
the IP addresses of DNS servers (to translate host names to IP
addresses) and default gateways (to transmit to remote destinations). As
in IPv4, IPv6 hosts will send packets directly to destinations on the
same subnet.
However, as IPv6 was developed from the ground up to be a
future-oriented redesign and modernization of the IP structure, IT
professionals will notice that it offers many distinct advantages over
its aging cousin. Some noteworthy differences are:

IP addressing – as described below, IPv6 addresses
use a different format and can provide an astonishingly huge address
space for network hosts, far larger than what IPv4 can offer.

IPv6 address format

As described in my IPv4 subnetting
article, IPv4 utilizes addresses that are 32 bits in length and
comprised of four distinct fields (called octets). Each octet contains a
value of eight bits. IPv6, however, uses 128-bit addresses. These
128-bit addresses take the form of eight hexadecimal
fields (or blocks) that are separated by colons. Each block is sixteen
bits in size and is represented by four hexadecimal characters (0-9 and
A-F).IPv4 address example: 192.168.10.25IPv6 address example: 2001:0DB8:124C:C1A2:BA03:6745:EF1C:683D
The increased bit count and the availability of 32 hexadecimal
characters results in a significantly larger address space as compared
to IPv4. IPv4 theoretically offers a maximum of 4,294,967,296 unique
addresses, but certain address ranges are not allowed to be used for
public addressing (such as 127.x.x.x, 10.x.x.x, 172.16.x.x, 192.168.x.x,
etc.). So the real quantity of publicly available IPv4 addresses is
considerably less than absolute limit of 4,294,967,296. IPv6, in
contrast, offers the potential for such a large quantity of addresses
that it is difficult to grasp. This number is 3.4×1038,
resulting in a grand total of
340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.
This quantity is so huge that every star in the universe could have
340,282,366,920,938 universally unique IP addresses (the latest
estimates are that there are 1022 to 1024 stars in
existence). This means that each star would have a unique address space
that is at least 80,000 thousand times greater than our current
IPv4-based global Internet.
If you have experience with IPv4 subnetting, you are probably in the
habit of being frugal with your address consumption. With IPv6, you can
have so many subnets and hosts on each subnet that you no longer need to
pinch IP addresses. IT professionals will need to make an effort to
abandon the fear of using “too many IP addresses”. Believe it or not,
you can simultaneously be wasteful with address space and have
room to support future network growth. However, you will still need to
follow sound IP addressing practices; i.e., do not simply toss IPv6
addresses around in a haphazard manner. Allocate them in logical,
consistent, and meaningful ways (i.e., use patterns) and be sure to use
an inventory tool to keep orderly records of address assignments (see IP Address Management tools on Wikipedia) as you are not likely to memorize IPv6 addresses. DNS will be even more of your friend than with IPv4.
The IPv4 addressing scheme includes network, subnet, and host divisions. IPv6, however, provides hierarchical addressing based on prefixes rather than the address classes of traditional IPv4. IPv6 addresses adhere to this format:

Global routing prefix

Subnet ID

Interface ID

x bits

y bits

128 – (x+y) bits

.
The global routing prefix is a hierarchically structured value assigned to a site. The subnet ID is an identifier of a link within the site. The interface ID is a unique identifier for a networked device on a given link (of course, multihomed devices have more than one interface).
As with IPv4 and its dotted decimal notation, it is important to
understand IPv6 addresses not as they are commonly depicted (with
hexadecimal characters) but as collections of bits. Here is IPv6 address
2001:DB8::2F3B:2AA:FF:FE28:9C5A in its “true” binary form:0010000000000001 0000110110111000 0000000000000000
0010111100111011 0000001010101010 0000000011111111
1111111000101000 1001110001011010
As in IPv4, some of the bits in an IPv6 address stand for the
network/subnet and the other bits stand for the host/interface. IPv6
does not use subnet masks (such as 255.255.192.0) but rather network
prefixes to delineate the network/host boundary. Prefixes are all
addresses that start with the same series of bits, and they are written
in slash notation (such as /48). In other words, the prefix specifies
how many of the leftmost contiguous bits of the address comprise the
network. For example, the host address 29D0:14C7:4B92:9BD29:1A2B:E5F6:8C4D:1025/64
shows that the network prefix is the first 64 bits of the address
(highlighted in bold). In other words, the network this host belongs to
is 29D0:14C7:4B92:9BD29:0000:0000:0000:0000/64.
As another example, this is a 60-bit prefix (underlined): 14DE:0000:0000:BE50:0000:0000:0000:0000/60
(each hex digit is worth 4 bits, and fifteen digits are underlined).
This prefix, 2001:0CD9::/32, contains all the interface addresses from
2001:0CD9:0000:0000:0000:0000:0000:0000 to 2001:0CD9:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF. Similarly, prefix 2001:0CD9:1B3D::/48 contains all interface addresses from 2001:0CD9:1B3D:0000:0000:0000:0000:0000 to 2001:0CD9:1B3D:FFFF:FFFF:FFFF:FFFF:FFFF.
The first address in the paragraph above,
14DE:0000:0000:BE50:0000:0000:0000:0000/60, could be condensed to
14DE:0:0:BE50::/60. Unlike IPv4, addresses in IPv6 can be abbreviated to
make them simpler to read and write. If an IPv6 address block (remember
each address has 8 blocks) is comprised solely of 0s (zeroes), then it
can be compressed into just one zero. In other words, address FE38:0000:124C:C1A2:BA03:6745:EF1C:683D could be written as FE38:0:124C:C1A2:BA03:6745:EF1C:683D.
If there happen to be contiguous blocks of only 0s in an address, then
these blocks can be omitted altogether. For example, FE38:0:0:0:BA03:6745:EF1C:683D could be represented as FE38::BA03:6745:EF1C:683D.
This two-colon abbreviation may only be applied once in an address.
Therefore, address FE00:0000:0000:0004:0000:0000:0000:0047 could be
rewritten as FE00::4:0:0:0:47 or FE00:0:0:4::47, but not as FE00::4::47.

Network addressing can now be done on half-byte (nibble) boundaries (remember, a byte is eight bits,
and each hex character in an IPv6 address represents four bits). What
this means is that prefix boundaries can occur within the binary value
of a single hex character. Each character is four bits, so if the prefix
length is not a multiple of four, the binary separation will take place
within a hexadecimal character.
Organizations requesting IPv6 address allocations from their local regional Internet registry (RIR)
are given address ranges with /48 prefixes. This means that the first
three blocks (total of 48 bits) are fixed and do not change. Typically,
organizations with a /48 range will then use the fourth block for the
creation of subnets. So initially a /48 prefix is assigned, such as
2001:DB8:4B92::/48. Then the fourth block is populated to create
subnets: 2001:DB8:4B92:xxxx::/64, where xxxx stands for hexadecimal
digits 0000-FFFF. You should get used to seeing the /64 prefix length.
Standard IPv6 addressing (specified in RFC 4291)
requires that most unicast addresses use a 64-bit interface identifier.
Additionally, this is a requirement of Stateless Address Auto
Configuration (RFC 4862) and any network expecting SLAAC to occur must have a /64 prefix available.
A /64 prefix can provide for 18,446,744,073,709,551,616 addresses.↑ Up to page menu

IPv6 address types

IPv6 addresses can fall into three categories: unicast, multicast,
and anycast. These also exist in IPv4. However, notice that IPv6 does
not utilize broadcast addresses.
A unicast address is an identifier for a single
interface. In other words, the final destination for packets sent to a
unicast address is only to interface identified by that address.
A multicast address is an identifier for a group of interfaces. The intended final destination for packets sent to a multicast address is all
the interfaces identified by that address. An interface may belong to
several multicast address groups. Multicast addresses cannot function as
source addresses, only destinations. The multicast entry on Wikipedia lists several instances in which hosts would transmit multicast rather than unicast data streams.
Like multicasts, an anycast address is an identifier
for a group of interfaces. However, packets sent to anycast addresses
are not delivered to all interfaces in that group. Instead, packets sent
to an anycast address get delivered to the closest member of a group, according to the metric
utilized by the routing protocol. In this way, anycasts are sort of
like a hybrid between unicast and multicast addresses. The important
point to remember is that packets sent to an anycast address will be
delivered to one (and only one) of the nodes that are listening on that
anycast address.↑ Up to page menu

IPv6 unicast address types

In IPv6 there are several types of unicast addresses, such as global unicast, unique local unicast, and link-local unicast.Global unicast addresses. These addresses can be
regarded as the IPv6 equivalents of public IPv4 addresses. Global
unicast addresses are publicly routable, globally unique, and the prefix
2000::/3 is designated for them (all addresses that begin with hexadecimal 2 or 3).Link-local addresses. Used by autoconfiguration protocols like Neighbor Discovery Protocol (NDP),
link-local addresses are automatically configured by IPv6 interfaces.
Link-local addresses are used to communicate over a single physical or
logical subnet, such as a typical Ethernet-based LAN. In this way,
link-local addresses are similar to IPv4′s APIPA address range. APIPA is
a feature of Microsoft Windows that acts as a DHCP failover mechanism
(when a DHCP request or server fails, APIPA automatically allocates
addresses in the private range 169.254.0.1 to 169.254.255.254).
The link-local default prefix is FE80::/10. Routers will not forward
any packets to other links if the source or destination addresses are
link-local.Unique local addresses. Unique local addresses (ULAs) have replaced the deprecated site-local addresses
which were previously standard in IPv6. Routers would not forward any
packets to other sites if the source or destination addresses were
site-local. ULAs are similar in that they are usually only routed within
one site, but they can also be routed among a set of sites. However
they are not to be routed globally (i.e., on the Internet) even though
they are globally unique. Therefore you could join two subnets and not
have to worry about IP address collisions.The standard ULA prefix is
FC00::/7. Unique local addresses are similar to IPv4′s private (RFC 1918) address ranges.
The loopback address in IPv6 is 0:0:0:0:0:0:0:1/128, or ::1/128. As you recall, the IPv4 loopback address
is 127.0.0.1/8. In both IPv6 and IPv4, the loopback address serves the
same purposes. For instance, if you ping the loopback address and you
receive replies, it’s a sign that TCP/IP protocol suite is properly
functioning on the local host. To do this in IPv6, the command is ping6 ::1.
The unspecified address, 0:0:0:0:0:0:0:0/128 or
::/128, indicates the absence of an address and therefore cannot be
assigned to any interface or used as a destination address. Instead it
serves as the source address of any packets sent by an initializing host
before it has learned its own proper IPv6 address. Ipv6 routers will
not forward requests with the unspecified address as the source.
The loopback and unspecified addresses are established in RFC 4291.IPv4-mapped IPv6 address. These unicast addresses
are used by applications that transmit in IPv6 to allow them to talk
with IPv4 hosts. The first 80 bits are zero, the next sixteen bits are
1, and the remaining 32 bits are the IPv4 address in dotted decimal
notation. For example, ::FFFF:192.0.10.25 represents the IPv4 address
192.0.10.25. Standardized in RFC 4038.IPv4-compatible IPv6 address. The IPv4-compatible
address, 0:0:0:0:0:0:a.b.c.d (where a.b.c.d is the dotted decimal
representation of an IPv4 address), is used by dual stack hosts to
communicate using IPv6. When the IPv4-compatible address is used as an
IPv6 destination, the IPv6 traffic is automatically encapsulated with an
IPv4 header and sent to the destination using an IPv4 pathway. Example
address: ::192.168.10.25. Deprecated since RFC 4291.↑ Up to page menu

IPv6 multicast address types

Multicasts can be easily identified as they have a prefix of FF (or
11111111 in binary). The multicast ‘all nodes on link’ address of
FF02::1 is as close to a traditional broadcast address as IPv6 gets.
The following scopes apply to multicast addresses: interface-local (a single interface only), link-local (used by hosts when communicating with neighboring nodes on the same link), subnet-local (for subnets that span multiple links), admin-local (must be administratively configured), site-local (the site or organization network, not to be forwarded outside of scope), organization-local (intended to span multiple sites belonging to one organization), and global (globally unique, i.e. across the Internet).
Additionally there are a few defined types of multicast groups.‘All nodes’ multicast groups
These groups identify all IPv6 nodes within a given scope.

Interface-local, all nodes (FF01::1)

Link-local, all nodes (FF02::1)

‘All routers’ multicast groups
These groups identify all IPv6 routers within a given scope.

Interface-local, all routers (FF01::2)

Link-local, all routers (FF02::2)

Site-local, all routers (FF05::2)

Solicited-node multicast groupSolicited-node multicast addresses are used by Neighbor Discovery Protocol for obtaining the Layer 2 addresses of other nodes (similar to ARP).

IPv6 reserved prefixes

The following IPv6 prefixes are reserved for certain purposes:

::/96: The zero prefix denotes addresses that are compatible with the previously used IPv4 protocol.

::/128: the unspecified address (all zeroes).

::1/128: the loop back address.

64:FF9B::/96: NAT64 well-known prefix.

2000::/3: Global unicast.

2001::/32: Teredo prefix.

2001:DB8::/32: For use as IPv6 examples (in tutorials, trainings, essays, etc.). 2001:0DB8: should be rendered as 2001:DB8: to encourage the habit of suppressing leading zeroes.

2002::/16: 6to4 prefix.

FC00::/7, FD00::/8: Unique Local Address (ULA) prefixes. Routed only within a predefined set of cooperating sites.

FEC0::/10: This is a site-local prefix (deprecated by the IETF).

FF00::/8: Generic prefix for multicast addresses.

FF01::1: Interface-local, all nodes (multicast).

FF01::2: Interface-local, all routers (multicast).

FF02::1: Link-local, all nodes (multicast).

FF02::2: Link-local, all routers (multicast).

FF02::5: OSPF messages (multicast).

FF02::6: OSPF messages (multicast).

FF02::8: IS-IS messages (multicast).

FF02::9: RIPv2 messages (multicast).

FF02::A: EIGRP messages (multicast).

FF02::D: PIM messages (multicast).

FF02::16: MLDv2 reports (multicast).

FF02::1:2: DHCP relay agents on local segment (multicast).

FF02::1:FF00:0/104: Solicited-node address (multicast).

FF02::1:3: All LLMNR hosts on local segment (multicast).

FF02::2:FF00:0/104: Node Information Queries (multicast).

FF05::1:3: Site-local, all DHCP servers (multicast).

FF05::1:4: Site-local, all DHCP relays (multicast).

FF05::2: Site-local, all routers (multicast).

FF0x::C: Simple Service Discovery Protocol (multicast).

FF0x::FB: Multicast DNS (multicast).

FF0x::101: Network Time Protocol (multicast).

FF0x::108: Network Information Service (multicast).

FF0x::114: Used for experiments (multicast).

FE80::/10: the link-local prefix (signifies that the address is valid only on the local physical link).

IPv6 automatic address acquisition by hosts

IPv6 hosts can utilize stateless autoconfiguration of IP address parameters. Stateless address autoconfigration (SLAAC)
uses local host information along with information advertised by
routers (no DHCP server is required). This process (described in RFC 4862) involves using the host’s MAC address to generate an EUI-64
address and then joining it to the 64-bit local link prefix (FE80::/64)
which is learned from a router. In this sense, local routers kind of
act like DHCP servers because they send out “router advertisements”
(RAs) that contain the first 64 bits of an IPv6 address (the local link
prefix). To generate EUI-64 addresses from their MAC addresses, the
hexadecimal values of 0xFF and 0xFE are inserted between the third and
fourth bytes of the MAC address. To then create an IPv6 interface
identifier from the EUI-64 address, the Universal/Local bit (the second
low-order bit of the first byte of the EUI-64 address) is turned to 0 if
it is a 1, or turned to 1 if it is a 0). For example, for the EUI-64
address of 00-60-09-FF-FC-53-F7-D6, the second low-order bit of 0×00 is
0, which, when complemented, becomes a 1. The result is that for the
first byte, 0×00 becomes 0×02. Therefore, the IPv6 interface identifier
corresponding to the EUI-64 address of 00-60-09-FF-FC-53-F7-D6 is
02-60-09-FF-FC-53-F7-D6. This process is explained in RFC 4291.
To avoid the possibility of SLAAC generating a duplicate link-local address, Duplicate Address Detection (DAD)
is then invoked. This combination of IPv6 addresses generated from
interface MAC addresses plus DAD means that collisions of link-local
addresses are virtually no longer a concern. This news will come as a
relief for any network administrators who have ever had to merge two or
more subnets that used addressing schemes in, for example, the
192.168.x.x or 10.x.x.x ranges.
Like DHCP in IPv4, IPv6 hosts can also be configured to acquire connectivity parameters from DHCPv6
servers. IPv4 clients use DHCP broadcasts to locate DHCP servers, and
since broadcasts are extinct in IPv6, clients use specialized multicasts
to locate DHCPv6 servers. These multicasts use the reserved address
FF02::1:2. One notable difference between DHCP and DHCPv6 is that while
DHCP can inform clients which node to use as the default gateway, DHCPv6
does not do this. The default gateway should be a link-local router
that can reliably make its own existence known via router
advertisements. So IPv6 clients must be informed of the default gateway
address via the SLAAC process. Another difference between DHCP and
DHCPv6 is that while DHCP is a very “tried and true” service, DHCPv6 did not perform very well in a 2011 vendor-neutral interoperability test.↑ Up to page menu

IPv6 and security

Unlike IPv4, IPv6 was designed with security in mind. Take ICMPv6 for
example. ICMPv6 is more important for proper IPv6 functionality than
traditional ICMP is for IPv4. Specifically, ICMPv6 is responsible for
providing diagnostic functions and reporting errors if packets are not
successfully delivered. It also enables Neighbor Discovered and
Multicast Listener Discovery (MLD).
However, many firewalls block ICMP as a measure to protect against ping
sweeps and ping-related denial of service attacks such as such as the
Ping of Death, Smurf attack, and ping floods. ICMPv6 will most likely
get the same treatment on many IPv6-capable perimeter devices. In
response, ICMPv6 was designed to be compatible with IPSec
to enable authentication and encryption. In fact, IPv6 is required by
its designers to natively support IPSec. Another example is the
integration of DHCPv6 and network access policies. Before DHCPv6 servers
reply to client requests, they can check network access control
policies to ensure that only valid hosts receive the IP parameters which
they are requesting. A final example deals with network scanning, a
step often taken by hackers looking to enumerate network hosts and find
weak targets. Because of the aforementioned vastness of the IPv6 address
space, network scanning is more difficult. Randomly scanning for
vulnerable hosts is impractical at best, probably impossible.
However, like all new technologies, IPv6 will not be free of
vulnerabilities. There will definitely be bugs found in its underlying
code, and as the protocol becomes more and more diffused throughout
global networks, security holes will surely be discovered. Indeed,
although IPv6 is just at the dawn of its eventual worldwide deployment,
there has already been a considerable quantity of IPv6 vulnerabilities
discovered in recent years. Websites that track computing
vulnerabilities have catalogued numerous IPv6 holes and exploits, and
many more protocol weaknesses will be uncovered in coming years. For
listings of the vulnerabilities published so far, you can visit:

In a June 2011 report, Jeff Doyle at InformationWeek
asks, “Will IPv6 make us unsafe?” He points out that IPv6 is far from a
“tried and true” protocol in that it has not been widely tested in
diverse environments, and therefore should be approached with caution.
Doyle states that “While network architects have long had a wide variety
of IPv6-capable routers and support systems to choose from, security products have lagged the rest of the industry.” Case in point: the most popular scanning tool, Nmap, was released in 1997 and only became compatible with IPv6 in 2012 (at version 6.0). Similarly, in their 2012 Worldwide Security Report (PDF), Arbor Networks
reported the first appearances of distributed denial of service (DDoS)
attacks conducted via IPv6 (see page 39 of the report). According to
Arbor, sixty percent of survey respondents “indicated that they have
little or no visibility into their IPv6 traffic today, and thus have no
ready way to detect, classify and trace back IPv6 attack traffic on
their networks.” Clearly these system owners would have difficulty
detecting malicious IPv6 traffic in their networks, thereby enabling
successful IPv6-based DDoS attacks. Doyle also laments the misconception
that support for a feature automatically translates into feature enablement.
As Doyle clarifies, “…a capability called for in a spec does not
necessarily translate into a capability that works in an actual network …
few IPv6 implementations provide ‘built-in’ authentication and
encryption, and end-to-end IPv6 sessions are not automatically secured.”
IPv6 should definitely not be regarded as a miraculous cure-all that
will immediately reduce network vulnerabilities and threat vectors. The
same basic threats and respective security measures and guidelines apply
to both IPv4 and IPv6. For example, even though IPv6 is better suited
to resist scanning of address blocks as previously mentioned, targeted
scanning scanning and probing against specific hosts is still very much
possible. Packet sniffing is also still a valid threat. Such security
concerns should serve to motivate organizations to to transition to IPv6
sooner rather than later because a hastily deployed IPv6 network is one
which will not be as locked down as its IPv4 counterpart or
predecessor. Therefore it’s advisable to upgrade to IPv6 when there is
plenty of time to spare for testing and gradual deployment.
Most networks today already have many IPv6-enabled hosts, including
every node running Windows Vista, Windows 7, Mac OS/X, and all modern
Linux, Unix, and BSD. These hosts can use SLAAC as previously described
to communicate with other IPv6 network devices and services on the same
LAN, and if they can contact an IPv6-enabled router then there may be
unapproved, “rogue” IPv6 traffic on your network which could evade
IPv4-based security measures. Even though the built-in Windows Firewall is compatible with IPv6, Windows hosts have the potential to be particularly worrisome because they do not support two IETF security standards:

SEcure Neighbor Discovery (SEND) (described in RFC
3971) can provide protection for Router Solicitation and Router
Advertisement messages. SEND can also be used to provide protection for
Neighbor Solicitation and Neighbor Advertisement message exchanges for
address resolution or neighbor unreachability detection, providing
protection against Neighbor Discovery-based denial of service (DoS)
attacks by nodes with statically configured IPv6 addresses. In contrast,
there is no mitigation against Address Resolution Protocol (ARP) DoS
attacks for IPv4. However, Microsoft does not support SEND in any version of Windows…RFC
3118 defines a method to provide authentication for DHCP message
exchanges for IPv6 or IPv4 DHCP-based configuration. Windows XP and
Windows Server 2003 do not support DHCPv6-based IPv6 address
configuration. Microsoft supports DHCPv6 in Windows 7, Windows Server
2008 R2, Windows Vista, and Windows Server 2008. However, Microsoft does not support RFC 3118.

IPv6 and traditional NAT

The potential extinction of NAT in IPv6 networks is one of the most
controversial changes from IPv4. NAT devices replace the private (RFC
1918) source addresses in outbound packets with public IP addresses. By
keeping track of which internal host sent which packets, NAT devices can
allow many hosts to share one public IP address. Conventional IPv6
wisdom claims that since there is such a ridiculously large number of
addresses to go around, it is no longer necessary to conserve public
address space and “hide” your internal hosts behind NAT devices.

Many system administrators take issue with the recommendation to
retire NAT because even if public IP address availability is no longer a
concern, they still do not want their private network topology exposed
by providing each of their hosts a publicly discoverable IPv6 address.
Therefore they are reluctant to abandon NAT as it shields their private
networks from prying eyes on the Internet. As such, NAT has been an
important tier in the “defense in depth” information security strategy (a best practice
security model). However, NAT also represents a single point of failure
in network communications and is a convenient target for denial of
service attacks. Furthermore, the obscurity which NAT offers its
“hidden” internal hosts should not be confused with a true security
measure.
Functionally speaking, NAT can be seen as a sort of “hack” solution
for networks because all ingress and egress packets are examined and
altered, thereby introducing extra complexity and hence, more potential
for erroneous configurations and bugs. Wikipedia’s entries on NAT and NAT traversal explain NAT’s disadvantages and drawbacks in more detail. As Iljitsch van Beijnum states on ArsTechnica:

Architecturally, NAT is a bad thing. It breaks all
kinds of assumptions built into protocols, so it can get in the way of
applications. This is especially true for peer-to-peer applications such
as BitTorrent, but also VoIP (including Skype). However, over the years
application builders have figured out ways to work around NAT. One
method involves talking to the local home gateway that’s performing NAT,
and asking it to forward incoming connections using a port mapping
protocol. This works very well when you run a NAT in your own home, but
not so much when your ISP runs a big NAT. Not only will different users
compete for the best port numbers, but also the commonly used port
mapping protocols (UPnP, IGD and NAT-PMP) can’t talk to a NAT several
hops away.Making peer-to-peer applications work may or may not be a high
priority for ISPs, who also tend to be in the video content distribution
and/or voice calling business. Worse, ISP-provided NAT may actually
break IPv6 tunneling mechanisms that allow people to gain IPv6
connectivity if their ISP doesn’t provide it. And deploying these
expensive and complex new NAT boxes may take away resources that could
otherwise be used to deploy IPv6 in the network.

Nevertheless, an experimental RFC does exist describing the function of traditional NAT in IPv6 (RFC 6296). The Internet Architecture Board (IAB) makes their feelings about NAT in IPv6 known in RFC 5902.↑ Up to page menu

IPv4-to-IPv6 transition methods

For obvious reasons, the switch to IPv6 cannot be made abruptly with
little or no preparation. IPv4 has proven to be a very resilient
protocol and is entrenched in modern networks. Regardless, the IETF has
specified in RFC 6540
(April 2012) that going forward all IP-capable devices are to be
compatible with IPv6, not just IPv4. The evolution to IPv6 will be
gradual and both protocols will exist side-by-side for quite some time.
However, you should begin planning to make your public servers (DNS,
email, Web) reachable via IPv6. Make it a priority to ensure that your
public websites and Internet-facing applications can answer IPv6
requests. As IPv6 becomes more prevalent, standard business
considerations will kick in if your sites and services start to lose
customers and hits, and then you will face the challenge of enabling
IPv6 support in a hurried, stressful manner. The law of supply and
demand will also rear its head when the final few IPv4 addresses are
available – they will surely be expensive.
When you decide to enable and support IPv6, many standard network
security considerations will apply. For instance, the IPv4-based access
control lists (ACLs)
on your network perimeter must be coupled with new IPv6 ACLs that offer
the same level of protection. On the client side, most operating
systems released in the 21st century are equipped to handle IPv6. If a
modern version of Linux or Windows boots up and detects an IPv6 router
on the LAN that advertises an IPv6 prefix, it will generate an IPv6
address. This functionality will surely prove beneficial during
IPv4-to-IPv6 network upgrades because many hosts will remain online and
users will be able to continue working. However, this also means that
there could be unapproved, covert IPv6 traffic traversing your network.
Many respected and influential enterprises have already made the
decision to embrace IPv6. Google, for instance, has already acquired a tremendous amount of IPv6 addresses. Google owns every address with the prefix 2001:4860::/32. Google has also deployed public IPv6 DNS servers (2001:4860:4860::8888 and 2001:4860:4860::8844). Other major industry giants such as Microsoft, Cisco, Juniper, Red Hat, Verizon, Sprint, AT&T, Comcast, Netgear, D-Link, and Belkin have also rallied to the call to roll out IPv6 services.
Complicating the deployment of IPv6 is the fact that (quite
regrettably) IPv4 and IPv6 are not directly compatible. In other words,
hosts connecting solely over IPv4 cannot directly communicate with hosts
connected solely via IPv6. In response to this challenge, several
interprotocol transition solutions have been developed. These transition
technologies are mechanisms designed to enable service providers and
network operators to migrate their subscriber base (users) from IPv4 to
IPv6. In the ideal interim transition environment, both IPv4
and IPv6 are fully deployed across all the infrastructure, meaning that
all networked hosts (such as servers, workstations, mobile devices,
etc.) and all networking devices (such as routers, switches, firewalls,
etc.) can process both IPv4 and IPv6. Additionally all content,
applications, and services are available via both protocols. To end
users, however, the utilization of two different protocols should remain
transparent. In the ideal end state environment, IPv6 has fully replaced IPv4 and all nodes communicate solely via IPv6.
One undesirable side effect of these transition methods is that they may end up actually delaying
the transition from IPv4 to IPv6. Remember, the idea is to get weaned
off IPv4, not to artificially prolong its lifespan. It is quite
unfortunate that IPv6 is almost twenty years old but has yet to achieve
widespread adoption, particularly in the USA. One very positive outcome
of rolling out IPv6 is that such a protocol upgrade is a one-time
deal…you and/or your successors will never have to worry about
undergoing a similar process for a long, long time. If the estimated
lifespan of IPv4 ends up being about fifty years (it was standardized in
1981), then it’s very likely that IPv6 will exist as a viable
networking protocol for hundreds of years after we are gone.
The three main types of transition mechanisms are:

Dual stack

Translation

Tunneling (packet encapsulation)

Dual stack

In a dual stack environment, IPv4 and IPv6 can both
traverse all segments of the network. Dual stack means that key network
nodes can run both IPv4 and IPv6 simultaneously, so they can communicate
with IPv4 hosts using IPv4 and with IPv6 hosts using IPv6. When a
connection needs to be established with an IPv4-only host, the IPv4 path
is used. When a connection needs to be established with an IPv6-only
host, the IPv6 path is used. When the destination host can understand
either protocol, IPv6 should be the preferred protocol. If the attempt
at IPv6 fails, then IPv4 will be used instead. Dual stack hosts query
DNS servers for both A records and AAAA records (AAAA should be
preferred).

Translation

NAT64 and NAT46 are translation methods (NAT-PT has been deprecated by the IETF). NAT64 is necessary when IPv6-only hosts needs to communicate with IPv4-ony hosts. NAT46
is necessary when IPv4-only hosts need to communicate with IPv6-only
hosts. Instead of tunneling one protocol inside the other, NAT
translation actually converts IPv4 addressing to IPv6 and vice versa.
This technique is similar to how NAT devices translate private ranges of
IPv4 addresses (specified in RFC 1918) into public range IPv4 addresses. A special prefix, 64:ff9b::/96, is used to map IPv4 addresses to IPv6 addresses. A modification to DNS, DNS64,
is also needed. DNS64 synthesizes an AAAA record even when no IPv6
address is found for the destination host (i.e., when DNS only replies
with traditional A records).
Typically NAT is performed by customer premises equipment (CPE)
such as your home or business router. When service providers deploy NAT
gear for IPv6-IPv4 translation, this practice is known as Large Scale
NAT (LSN) or Carrier-Grade NAT (CGN).
NAT64 and NAT46 are described in more detail by this IETF draft. The NAT64 protocol specification can be found in RFC 6146. IPv6/IPv4 translation as a whole is discussed in RFC 6144.

Tunneling

Tunneling involves encapsulating IPv6 packets inside
IPv4 packets or vice versa. When IPv6 packets must cross a section of
the network that only supports legacy IPv4, the IPv6 packets are put
inside IPv4 packets, transmitted across the IPv4-only part of the
network. Then the IPv4 packaging is stripped and the packets continue to
their IPv6-addressed destinations. Tunnels can be manually configured
(static) or dynamically generated. RFC 4213, ‘Basic Transition Mechanisms for IPv6 Hosts and Routers’, defines four generic types of tunneling mechanisms:

Router-to-Router. IPv6/IPv4 routers
interconnected by an IPv4 infrastructure can tunnel IPv6 packets between
themselves. In this case, the tunnel spans one segment of the
end-to-end path that the IPv6 packet takes.Host-to-Router. IPv6/IPv4 hosts can tunnel IPv6
packets to an intermediary IPv6/IPv4 router that is reachable via an
IPv4 infrastructure. This type of tunnel spans the first segment of the
packet’s end-to-end path.Host-to-Host. IPv6/IPv4 hosts that are
interconnected by an IPv4 infrastructure can tunnel IPv6 packets between
themselves. In this case, the tunnel spans the entire end-to-end path
that the packet takes.Router-to-Host. IPv6/IPv4 routers can tunnel IPv6
packets to their final destination IPv6/IPv4 host. This tunnel spans
only the last segment of the end-to-end path.

Some popular tunneling techniques include:6to4
6to4, Teredo, and ISATAP are automatic tunneling techniques. 6to4
uses a default relay tunnel address, 192.88.99.x and a default gateway
of 192.88.99.1. Any traffic directed to this IPv4 address range is
probably carrying encapsulated 6to4 IPv6 traffic (6to4 packets start
with 2002::/16). 6to4 works well when a 6to4 router exists at the edge
of the site. The 6to4 router uses a public IPv4 address to construct the
6to4 prefix and encapsulates and decapsulates IPv6 traffic sent to and
from nodes in the site. So, 6to4 needs configuration of a public IPv4
address and the implementation of 6to4 routing functionality on the
site’s edge device. Many small office/home office (SOHO) configurations
use an IPv4 NAT device for Internet connectivity. In most NAT
configurations, the device providing NAT functionality is not capable of
acting as a 6to4 router. Even if 6to4 were universally supported in
Internet edge devices, there are some Internet connectivity
configurations that contain multiple levels of NATs.

TeredoTeredo
solves the issues of the lack of 6to4 functionality in modern-day
Internet edge devices and multilayered NAT configurations by tunneling
IPv6 packets between the hosts within the sites. In contrast, 6to4 tunnels IPv6 packets between the edge devices.
Teredo allows IPv6 connectivity between IPv6 and IPv4 nodes that are
separated by one or more NAT devices. Teredo traffic is composed of IPv6
packets that have been encapsulated as IPv4-based UDP messages, and UDP
can be translated universally by NAT devices and can traverse multiple
NAT layers. Teredo functionality is explained more thoroughly in
Technet’s Teredo overview (Teredo was developed by Microsoft). Teredo is also described in RFC 4380.6rd6RD has
a lot in common with 6to4. 6to4 works by relaying traffic between
native IPv6 and IPv4 using relay servers which advertise common IPv4 and
IPv6 prefixes to networks they are prepared to provide relay services
for, but there is no guarantee that all native IPv6 hosts have a working
route toward such a relay. With 6rd, this model is changed by making
each ISP use one of its own IPv6 prefixes instead of the special
2002::/16 prefix standardized for 6to4. The 6rd protocol specification
can be found in RFC 5969.

6in46in4
is the encapsulation of IPv6 packets in IPv4 packets. In 6in4, the IPv4
packet header is immediately followed by the IPv6 packet. This means
that the encapsulation overhead is simply the size of the IPv4 header
(20 bytes) which avoids MTU packet fragmentation. More details can be
found in RFC 4213.6over46over4
is a transition mechanism which allows isolated IPv6 hosts, located on a
physical link which has no directly connected IPv6 router, to use an
IPv4 multicast domain as their virtual local link. A 6over4 host uses an
IPv4 address for the interface in the creation of the IPv6 interface
ID, placing the 32-bit IPv4 address in the low order bits and padding to
the left with 0′s for a total of 64 bits. The IPv6 prefix used is the
normal IPv6 prefix, and can be manually configured or dynamically
learned by way of SLAAC.
6over4 is officially documented in RFC 2529. Semantic differences between the terms “6in4″ and “6over4″ are addressed in a 2005 IETF draft document.6PE
Cisco’s IPv6 Provider Edge (6PE) is a tunneling solution for MPLS backbones.

DS-Lite
Dual Stack Lite (DS-Lite) uses 4in6 tunnels to send traffic to a DS-Lite
server which then NATs the traffic though a tunnel. This allows for
IPv6-only connections between the customer site and the service
provider’s Large Scale NAT (LSN), but instead of translating from IPv4
to IPv6 as in NAT464, the IPv4 packets are tunneled to the LSN, so no
translation needs to be performed. More info on DS-Lite can be found here and here. Standard specification is in RFC 6333.

DSTM
Dual Stack Transition Mechanism (DSTM) encapsulates IPv4 packets within IPv6 (4in6). Standard specification can be found on IETF.org.
DSTM is designed to rapidly reduce the reliance on IPv4 routing and is
intended for IPv6-only networks in which hosts still occasionally need
to communicate directly with other IPv4 hosts.ISATAP
Intra-site Automatic Tunnel Addressing Protocol (ISATAP).
Unlike 6to4 tunnels, ISATAP tunnels do not work if IPv4 NAT is used
between the tunnel endpoints. The IETF describes ISATAP in RFC 5214.

Configuring IPv6 on Linux

The Linux kernel has provided IPv6 support since as far back as 1996
(since kernel v2.4). Not surprisingly, configuring IPv6 in Linux
involves editing text files using vi or a text editor such as gedit.
In the Red Hat Linux family (which includes Fedora and CentOS), open up the /etc/sysconfig/network file and add/edit these lines:NETWORKING_IPV6=yes
IPV6FORWARDING=no
IPV6_AUTOCONF=no
IPV6_AUTOTUNNEL=no
IPV6_DEFAULTGW=FE80::1
IPV6_DEFAULTDEV=eth0
The second step is to open /etc/sysconfig/network-scripts/ifcfg-eth0 (assuming eth0 is the adapter in question) and add/edit these lines:IPV6INIT=yesIPV6ADDR=2001:DB8:xxxx:yyyy::zzzz/64 (this line to configure a static IPv6 address)
Now enter the command: service network restart
For Debian-based Linuxes (including Ubuntu and Mint), open /etc/sysctl.conf and add/edit this line:net.ipv6.conf.eth0.accept_ra=0
Then open /etc/network/interfaces and add/edit these lines:iface lo0 inet6 loopback
iface eth0 inet6 static
address 2001:DB8:xxxx:yyyy::zzzz (your static IPv6 address, if needed)netmask 64
gateway FE80::1
Now enter the command: sudo /etc/init.d/networking restart
IPv6 traffic blocking and filtration in Linux is possible with the ip6tables firewall. On your firewall host, issue the command ip6tables -P INPUT DROP
to block all non-permitted traffic. Then enable inbound traffic as you
see fit; for example, to permit HTTP (port 80) to reach your web server,
enter ip6tables -A INPUT -d 2001:db8::1234:abcd:90ab:5678 -p tcp --dport 80 -j ACCEPT. Ip6tables uses the same command syntax as iptables.
If you want to configure a Linux host to act as an IPv6-capable router, you must enable the Router Advertisement Daemon (RADVD).
RADVD listens for Router Solicitations (RS) and responds with Router
Advertisement (RA) replies. This is the same process as described in the
IP address acquisition section above. You can tweak RADVD’s parameters in /etc/radvd.conf.
Linux clients can utilize Teredo tunneling courtesy of the Miredo tunneling client.
Be sure to have a look at the ‘IPv6 and Linux’ links below.↑ Up to page menu

Configuring IPv6 on Windows

Windows Server 2008 was the first version of Windows to ship with
IPv6 enabled by default (Microsoft’s calls its implementation of IPv6 in
Server 2008 and Windows Vista the “Next Generation TCP/IP Stack”). Windows 8 not only ships with IPv6 enabled by default, it is actually the operating system’s preferred protocol
over IPv4. Windows Vista, 7, Server 2008, and 8 will enable Teredo and
6to4 by default. What this means is that the 6to4 tunneling protocol is
enabled in Windows 7, Windows Vista, Windows Server 2008 R2, and Windows
Server 2008 when an interface is assigned a public IPv4
address (i.e., an address not in the private ranges of 10.0.0.0/8,
172.16.0.0/12, or 192.168.0.0/16). 6to4 will automatically assign an
IPv6 address to the 6to4 tunneling interface for each such address that
is assigned, and 6to4 will dynamically register these IPv6 addresses on
the assigned DNS server. To disable IPv6 or enable/disable certain
IPv6-related features, follow the instructions in Microsoft KB929852.
With a little effort, IPv6 can be installed and enabled on Windows XP
and Windows Server 2003. To install IPv6 on Windows XP, open up a
command prompt and type: netsh int ipv6 install. To uninstall, type: netsh int ipv6 uninstall. If you prefer to install/uninstall with the Windows XP graphical user interface (GUI), see instructions here. However, XP and Server 2003 are not compatible with DHCPv6
(though they can engage in SLAAC). Also note that while Windows XP can
only perform DNS queries over IPv4, it can query for AAAA records.
Instructions to install, configure, and uninstall IPv6 on Windows Server 2003 can be found here and here.
In Windows XP and Windows Server 2003, the IPv6 interface ID is
derived from the Extended Unique Identifier (EUI)-64 address. In Windows
Vista and Windows Server 2008, the interface ID by default is randomly
derived, rather than based on the EUI-64 address. You can disable random
interface IDs with the netsh interface ipv6 set global randomizeidentifiers=disabled command.
IPv6 in Windows XP and Windows Server 2003 uses the Automatic
Tunneling Pseudo-Interface for encapsulating IPv6 packets with an IPv4
header so that they can be transmitted across an IPv4 network. By
default, IPv6 configures a link-local Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP) address on the Automatic Tunneling Pseudo-Interface. The link-local ISATAP address has the form FE80::200:5EFE:w.x.y.x or FE80::5EFE:w.x.y.x, in which w.x.y.x is an IPv4 address.
To specify your IPv6 address parameters in Windows, click the System
Menu, Control Panel, Network and Sharing Center, and then Change Adapter
Settings. Now right-click your network interface and choose Properties.
Highlight ‘Internet Protocol Version 6 (TCP/IPv6)’ and click
Properties..
Be sure to have a look at the ‘IPv6 and Microsoft’ links below.↑ Up to page menu